Post on 30-Dec-2015
description
transcript
David Evanshttp://www.cs.virginia.edu/evans
CS588: Security and PrivacyUniversity of VirginiaComputer Science
Lecture 7: Using Block Ciphers
Images from http://rfidanalysis.org/
10 February 2005 University of Virginia CS 588 2
Menu
• PS2
• Modes of Operation
• Differential Cryptanalysis
Sorry, PS1 is not ready to return yet!If you want it back before then, find me at my office tomorrow morning, or get it from Matt during his office hours (2:30-3:30 tomorrow)
10 February 2005 University of Virginia CS 588 3
Ken Elzinga’s Theory on Writing Mysteries
• Requires:– Creativity– Discipline
• Very few people can be both• Most good mystery novels are written by
pairs:– “Marshall Jevons” = Bill Breit and Ken Elzinga– “Ellery Queen” = Manfred Lee and Frederic Danna
10 February 2005 University of Virginia CS 588 4
Ken Elzinga’s Theory on Writing Mysteries
• Requires:– Creativity– Discipline
• Very few people can be both
• Most good mystery novels are written by pairs:– Dolev-Yao, Needham-Schroeder, Diffie-Hellman,
Daemen/Rijmen (AES), Blum-Blum-Shub, Rivest-Shamir-Adleman, Boneh/Franklin (IBE)
Dave Evans’
Cryptography
ciphers
designed/
broken
small teams
10 February 2005 University of Virginia CS 588 5
Creativity vs. Discipline
– Creativity: mostly about breaking rules– Discipline: mostly about following rules
• Rules = internal consistency, mathematical correctness, sticking with stated assumptions
• US was founded by rebels and has lots of space, so we value creativity most (except in teenagers and soldiers)
10 February 2005 University of Virginia CS 588 6
RSA [1978]
• Ron Rivest and Adi Shamir tried to find ways to implement public-key cryptography
• Len Adleman poked holes in their first dozen ideas
• Eventually, they found one he couldn’t
• Adelman thought the cipher should be RS (but Rivest convinced him otherwise)
We’ll cover RSA later after spring break, but you’ve probably heard of it already. It’s the most important cipher invented since One Time Pad (Vernam, 1917).
10 February 2005 University of Virginia CS 588 7
Overstatement?
“The most important technological breakthrough in the last thousand years.”
Lawrence Lessig(Possibly an overstatement, but
he’s a lawyer)
10 February 2005 University of Virginia CS 588 8
PS2 Teams• Must be diverse in at least 2 of these:
– Nationality– Major (CS/Math/ECE/Bioinformatics/other)– Year (Grad/4th/3rd/other)– Liked breaking two-time pad (yes/no)
• Examples:– Austrailian bioinformatics major can work with anyone– USian, 4th year CS major who liked breaking two-time pad
can’t work with a USian 3rd year CS major unless she/he didn’t like breaking the two-time pad
– If you can get Ron Rivest, Adi Shamir or Len Adelman on your team, you don’t need to worry about the other rules
Find a partner before leaving today!
10 February 2005 University of Virginia CS 588 10
Modes of Operation• Transmitting a long plaintext using 3DES:
P = P1 || P2 || ... || PN• Electronic Codebook Mode:
C = EK (P1) || EK (P2) || ... || EK (PN)
• Problems:– Any identical blocks encrypted identically
• 64 bits = 8 ASCII characters
• Reveals lots about your message (even if unbroken)
– Lots of ciphertext encrypted with same K
10 February 2005 University of Virginia CS 588 11
Cipher Block Chaining
DES
IV
K
P1
C1
to receiver
DESK
P2
C2
to receiver
...
10 February 2005 University of Virginia CS 588 12
Cipher Block ChainingCi = EK (Pi Ci - 1) C1 = EK (P1 IV)Decrypt:
Mi = DK (Ci ) Ci - 1
M1 = DK (C1 ) IV
DK (EK (Pi Ci - 1)) Ci – 1
= Pi Ci - 1 Ci – 1 = Pi
10 February 2005 University of Virginia CS 588 13
Cipher Feedback Mode
DES
IV
K
j bits
P1
C1
to receiver
DESK
j bits
P2
C2
to receiver
shift j bits
...
Does the IV need to be secret?
10 February 2005 University of Virginia CS 588 14
Output Feedback Mode
j bits
DES
IV
K
P1
C1
to receiver
DESK
j bits
P2
C2
to receiver
shift j bits
...
10 February 2005 University of Virginia CS 588 15
CFB vs OFB
DES
IV
K
j bits
P1
C1
to receiver
DESK
j bits
P2
C2
to receiver
shift j bits
DES
IV
K
P1
C1
to receiver
DESK
j bits
P2
C2
to receiver
shift j bits
Which is better for wireless transmissions?Which is better for preventing message tampering?
10 February 2005 University of Virginia CS 588 16
What does is mean to “break” a cipher?
• Practical:– You can determine the plaintext corresponding to
some ciphertext without the key– You can determine the key given some plaintext-
ciphertext pairs
10 February 2005 University of Virginia CS 588 17
What does is mean to “break” a cipher?
• Academic:– You have a technique that does better than brute
force (e.g., break 112-bit 3DES with 2111 max attempts)
– You have a techniques that does better than brute force on a weakened (less rounds, smaller block) version of cipher (e.g., break DES with 15 rounds)
– You have identified some mathematical weakness if the cipher, but don’t yet know how to use it usefully (e.g., there exist two different keys that map plaintext to same ciphertext)
10 February 2005 University of Virginia CS 588 18
DES Attacks
• Last time: – Mostly Brute force (guessing all keys)
• DES keyspace is too small• But no where near good enough for 3DES
– Side-Channel: Power Analysis
• Now: Differential Cryptanalysis
10 February 2005 University of Virginia CS 588 19
Differential Cryptanalysis• [Biham & Shamir, 1990]
• With enough work (247) and enough chosen plaintexts (247) can find key (compared to 256
brute force work)
• Successful academic attack: takes 3 years of 1.5Mbps encrypting chosen plaintext to get enough!
• Is successful practical attack on other ciphers
10 February 2005 University of Virginia CS 588 20
Differential Cryptanalysis Idea
• Choose plaintext pairs with fixed difference: X = X X’
• Use differences in resulting ciphertext to guess key probabilities
• Requires choosen plaintext: attacker chooses plaintext and receives ciphertext
(e.g., SpeedyPass challenge-response protocol!)
10 February 2005 University of Virginia CS 588 21
One Round
32 bits
48 bits
Kn
S32 bits
P
E/P
32 bits
48 bits
S32 bits
P
X X’
E/P
X = X X’Xi = 0 iff Xi = Xi’
X1 X1’
X2 X2’
X3’
X4’X4
X3
E/P preserves values:
Xi = 0 X1ep(i) = X1ep(i)’
where ep(i) is a function defined by the E
table preserves values:X2i = X1i Kn X2i’ = X1i’ Kn
Xi = 0 X2ep(i) = X2ep(i)’
10 February 2005 University of Virginia CS 588 22
One Round, cont.
S
P
S
P
X2 X2’
X3’
X4’X4
X3Xi = 0 X2ep(i) = X2ep(i)’
X3i = X3i’ X4p(i) = X4p(i)’
S-boxes are non-linear!
Xi = 0 X3s(ep(i)) = X3s(ep(i))’But, maybe they do probabilistically:
Xi = 0 p(X3s(ep(i)) = X3s(ep(i))’) > .5 ?p(X3s(ep(i)) = X3s(ep(i))’) < .5 ?
Its a function of the key: p determined experimentally.
(Known from ciphertext)
10 February 2005 University of Virginia CS 588 23
Differential CharacteristicsInputs:A = [A1, A2, A3…A64]
B = [B1, B2, B3…B64]
Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K
Differences:
ΔP = A B = [ A1 B1, …, A64 B64 ]
ΔC = a b = [ a1 b1, …, a64 b64 ]
Differential = (ΔP, ΔC)
This slides are based on Howard Heys’Tutorial on Linear and Divverential Cryptanalysis(linked from course website)
10 February 2005 University of Virginia CS 588 24
Goal
• Find a particular value of ΔP for which a particular ΔC value occurs with high probability
• Allows attacker to predict bits coming into last round of cipher
Inputs: A = [A1, A2, A3…A64]
B = [B1, B2, B3…B64]
Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K
Differences:
ΔP = A B = [ A1 B1, …, A64 B64 ]
ΔC = a b = [ a1 b1, …, a64 b64 ]
Differential = (ΔP, ΔC)
If you know what one round of DES does, you canfind the subkey for that round (fairly easily)!
10 February 2005 University of Virginia CS 588 25
FromHoward Heys’ Tutorial on Linear and Differential Cryptanalysishttp://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf
10 February 2005 University of Virginia CS 588 26
S-box: S1
0 1 2 3 4 5 6 7 8 9 A B C D E F
E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8
4 1 E 8 D 6 2 B F C 9 7 3 A 5 0
F C 8 2 4 9 1 7 5 B 3 E A 0 6 D
6 bits: x1x2x3x4x5x6
x1x6
00
01
10
11
x2x3x4x5 select column
4 inputs to S1 produce 0: 011100, 000001, 111110, 111011
Remember: S-Boxesare confusing, but not secret. All DES implementataions use the same S-Boxes.
10 February 2005 University of Virginia CS 588 27
Partial pair XOR Distribution, S1
Output XOR (4 bits)
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 0 0 6 2 4 4 0 10 12 4 10 6 2 4
2 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2
...
3F 4 8 4 2 4 0 2 4 4 2 4 8 8 6 2 2
Inpu
t X
OR
(6
bits
)
10 February 2005 University of Virginia CS 588 28
What would ideal distribution be?
Output XOR
0 1 2 3 4 5 6 7 8 9 A B C D E F
0
1
2
...
3F
Inpu
t X
OR
10 February 2005 University of Virginia CS 588 29
What would ideal distribution be?
Output XOR
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
... 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
3F 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Inpu
t X
OR
Why can’t we just make S-Boxes that do this?
Getting determinstically different outputs when
the inputs are identical is really, really hard!
10 February 2005 University of Virginia CS 588 30
Differential Cryptanalysis• Propagate experimental probabilities for
1 round through 16 rounds• After enough P-C pairs, one key
becomes most probable• Difficulty depends heavily on S-Box
choices• First published in 1990, but NSA knew
about it in 1973! (That’s why they changed IBM’s S-Boxes!)
10 February 2005 University of Virginia CS 588 31
Differential Cryptanalysis• “Successful” on DES up to 15 rounds (better
than exhaustive search)• By 16th round, characteristics probabilities
are 2-56
• Very successful on DES variants (breaks GDES with 6 chosen plaintexts)
• Very successful on FEAL (FEAL-4, FEAL-8, FEAL-N, FEAL-NX, ...)
• Would be very successful on Curry Cipher (but so would less sophisticated techniques)
10 February 2005 University of Virginia CS 588 32
Related Techniques• Linear Cryptanalysis [Matsui, 1994]
– Try to find equations like, Xi1 Xi2 … Xin
Yj1 Yj2 … Yjv = 0
where Xik selects some input bit and Yjk selects some output bit
such that probability it is satisfied is different from ½
• Boomerang Attack [Wagner 1999]
• Slide Attacks [Biryukov & Wagner, 1999]
10 February 2005 University of Virginia CS 588 33
Charge
• Find a partner for PS2 now– If you already have gotten past question 1
with someone, you can keep working together
– Otherwise, find a partner who satisfies the diversity constraints (different in 2 or more):
• Nationality• Major (CS/Math/ECE/Bioinformatics/other)• Year (Grad/4th/3rd/other)• Liked breaking two-time pad (yes/no)